Why Am I Getting All These Terms of Service Update Emails?

Anyone looking at their inbox in the last few months might think that the Internet companies have collectively returned from a term-of-service writers' retreat. Company after company seem to have simultaneously decided that your privacy is tremendously important to them, and collectively beg you take a look at their updated terms of service and privacy policies.

You might assume that this privacy rush is connected to the ongoing Cambridge Analytica scandal, and Mark Zuckerberg's recent face-off with Congress. It's certainly true that Facebook itself has been taking some voluntary steps to revamp its systems in direct response to pressure from politicians in the U.S. and abroad. But most of the companies that are sending you email right now are doing so because of their own, independent privacy spring-cleaning. And that's almost entirely due to Europe's General Data Protection Regulation (GDPR), which comes into force on May 25th. Most companies that have users in Europe are scrambling to update their privacy policies and terms of service to avoid breaking this new EU law.

The GDPR strongly encourages clarity in "information addressed to the public" about privacy—making now an excellent time for companies to provide clearer and more detailed descriptions of what data they collect, and what use they put it to.

Then again, those updates might be a little overdue. Companies were always supposed to do this under European law—and, for that matter, Californian law too, which since 2003 has required any service that collects your private information to spell out in detail out their data use. But the additional penalties of the GDPR (with fines of up to 20 million euro, or 4% of global revenue) and increasing confidence of European data protection regulators have poked many international companies to finally pay closer attention to their legal obligations.

The EU regulators are certainly paying attention to these email updates. A strongly-worded blog post this week by EU's head enforcer, European Data Protection Supervisor (EDPS) Giovanni Buttarelli, warned the public and his fellow regulators to be "vigilant about attempts to game the system", adding that some of these new terms of service emails could be "travest[ies] of the spirit of the new regulation".

What To Look For

So what might you look for in these changes? What are the potential good points, and where might Buttarelli's travesties be hiding?

First, it depends on where you're living. Companies aren't under a legal obligation to implement the GDPR's provisions for all their users. You may even be able to see those new geographical distinctions in their changed terms. People in Europe (not just EU citizens) must be protected under the new law, but it's an open question whether Americans or those outside both regions will get the same treatment. You should be able to tell the details of those differences from the new policies. (Or not: Facebook, for instance, is only showing its new, detailed legal justifications for its data collection to users in Europe, and hiding that page from other users.)

Some of the changes may just involve refinements in terminology. What companies have to do to comply with the GDPR, for instance, greatly depends on whether they're "data controllers" or "data processors" – roughly speaking, whether they have the responsibility to manage your data, or whether they're just handling it on behalf of another party.

You may well see some frantic games of pass-the-parcel in the next few weeks as different services attempt to minimize or share their compliance burden. You can spot that in how they describe who is the "data controller" in their terms. For instance, Etsy, whose users are both buyers and sellers, has changed its language to emphasize that sellers are independent data controllers of your data. Google, meanwhile, has provoked a furious response from Europe's media publishers, after it declared itself the controller for the data from the ads and trackers that publishers put on their own websites, but expected that the publishers were the ones responsible for obtaining consent to share this data.

Some of the other changes have a more immediate, positive result, though. The GDPR is an embodiment of the data protection rights spelled out in the EU's Charter of Fundamental Human Rights, which states:

Everyone has the right to the protection of personal data concerning him or her... Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.

When it comes to changes in these terms, most of the work will be spelling out those "specified purposes" in more detail, as well as explaining why the company thinks they can legitimately process it under the GDPR.

But there may also be changes in your ability to look at the data itself, and change it. For instance, Twitter users can now peer at the full pile of data that that company has picked up on them from their tweets and cross-referenced advertisers databases. You can also delete data that you don't want Twitter to keep using.

That right of access also means that you can take your information with you. Under the GDPR, companies have to provide "data portability"—which means that they should provide you with your data in a way that lets you easily move it to a competing service – at least if you are in Europe.

Now more companies will provide these data dumps. The pre-existing services have already markedly improved. For users in the EU, they should also offer a way to truly and permanently delete your account and all its data.

Still, these are the kind of user-empowering features that some companies would rather you didn't know too much about, so don't be surprised if the only news you hear about them comes from poring over these changes to long documents.

As Buttarelli says, such "legal cover" might well be against the spirit of the GDPR, but it's going to take a while for companies, regulators, and privacy groups to establish what the law's sometimes ambiguous statements really mean. One particularly knotty problem is whether the language that many of these emails use ("by using our service, you agree to these terms") will be acceptable under the GDPR. The regulation is explicit that in many areas, you need to give informed, unambiguous consent by "a statement or clear affirmative action." Even more significantly, if the data being collected by a company isn't necessary for the service it is offering, under the GDPR the company should give covered users the option to decline that data collection, but still allow them to use the service.

That's what the EDPS is complaining about when he says that some of these terms of service updates could be "travesties". If they are, you might find some more emails updates in your inbox. And so could the companies sending them—from the EU's data protection regulators.

Related Updates

The current European Digital Single Market copyright negotiations involve more than just the terrible upload filter and link tax proposals that have caused so much concern—and not all of the other provisions under negotiation are harmful. We haven't said much about the text and data mining provisions that...

On Tuesday, the European Commission published two legislative proposals that could further cement an unfortunate trend towards privacy erosion in cross-border state investigati­ons. Building on a foundation first established by the recently enacted U.S. CLOUD Act, these proposals compel tech companies and service providers to ignore critical privacy...

On Tuesday, the European Commission published two legislative proposals that could further cement an unfortunate trend towards privacy erosion in cross-border state investigati­ons. Building on a foundation first established by the recently enacted U.S. CLOUD Act, these proposals compel tech companies and service providers to ignore critical privacy...

The Egyptian government is currently debatinga bill which would compel all ride-sharing companies to store any Egyptian user data within Egypt. It would also create a system that would let the authorities have real-time access to their passenger and trip information. If passed, companies such as...

EFF has been writing about the upcoming European Digital Single Market directive on copyright for a long time now. But it's time to put away the keyboard, and pick up the phone, because the proposal just got worse—and it's headed for a crucial vote on June 20-21. For those...

The company publicly announced last week that it was shutting down its Partner Categories program to “help improve people’s privacy on Facebook.” What it didn’t mention was that the move is actually part of the company’s efforts to comply with the GDPR, the new EU data protection law going...

The government of Malaysia has rushed a new Anti-Fake News Bill into Parliament aimed at restricting political speech ahead of upcoming general elections. As with previous similar bills, this bill has been introduced with minimal time for public consultation and could pass Parliament as early as this week. The...

The Federal Congress of Argentina is currently debating a new law on intermediary liability, which would establish a safe harbor of protection for Internet intermediaries (such as ISPs, social media platforms, and search engines) from liability for content uploaded or transmitted by third parties. For the most part, the law...

UPDATE, March 23, 2018: President Donald Trump signed the $1.3 trillion government spending bill—which includes the CLOUD Act—into law Friday morning. “People deserve the right to a better process.” Those are the words of Jim McGovern, representative for Massachusetts and member of the House of Representatives Committee on Rules...

There’s a new, proposed backdoor to our data, which would bypass our Fourth Amendment protections to communications privacy. It is built into a dangerous bill called the CLOUD Act, which would allow police at home and abroad to seize cross-border data without following the privacy rules where the data is...